3 Steps to kick-start OCI monitoring in CASB
March 21, 2019 | 4 minute read
Uday Sambhara
Introduction
Oracle CASB Cloud Service is used for security monitoring the cloud footprint of SaaS, PaaS and IaaS components. CASB, when configured to monitor Oracle Cloud Infrastructure (OCI), can detect risk, anomalies and potential security violations.
In OCI, the target of CASB monitoring is a compartment. Once an OCI compartment is configured in CASB, out-of-box baseline monitoring kicks in to find security anomalies. However, policies still need to be configured to truly start monitoring the events of interest to an organization.
This is where the following 3 steps will get you from baseline monitoring to assuredly monitoring indeed. Let’s see those.
Step 1: Login to CASB console, select “Policy Management” and go to “Managed” Tab. In this example the usecase i picked is to configure a policy to monitor changes on OCI admins group. There is a managed policy provided out of box for this usecase but the group it monitors is set to a placeholder value.
Since ‘Managed’ Policies are non-editable, choose ‘Copy To Custom’ from Action dropdown to copy a policy to a custom policy.
By default a custom policy created from managed policy will have the Name appended with Date and TimeStamp and placed under ‘Custom’ Tab.
Step 2: Login (or access by api) to OCI tenant and get the OCID of the ‘Administrators’ group or any group to be monitored and alerted on.
Step 3: Back in the CASB console, update the previously created policy and set the OCID of administrators group and submit, as seen in few key screen captures below.
Make sure to enable the newly created custom policy.
Conclusion
In this post we saw the bare minimum steps to start getting alerted on OCI events. As an example, we saw how to monitor changes to the OCI admin group, which is something we do recommend, by the way. What would you do to monitor any other resources? No surprise here, since most of the templates and managed policies are placeholders for OCI. You need to get the OCID of the resource to be monitored and repeat the 3 steps above. Having a valid OCID is key here.
Worth noting these policies are not of the type ‘fire and forget’. Best practice is to tune and prune on the policies as you go, to get the quality and quantity of alerts palatable for your organization. Correlation of generated events/alerts and how to drill down through the event and alerts would be a topic for another blog post.